It's just that this description is describing an "attack" that is just how attestation works. If you have a problem with attestation, talk about that problem, calling it "an attack" does nothing.
I'm actually against the proposal, too - although I see the merits. The ability to have servers authenticate clients based on the context of that client is amazing - it would seriously improve security if done right. But I personally believe that this should be done through the Device Policy extension exclusively, as it is already done there today, and that the extension should be opened and standardized.
In fact, I believe Google should be forced to do so.